Use Group Policy to enforce Office 2010 settings

Office 2010

Applies to: Office 2010

Topic Last Modified: 2012-02-29

Learn how to use Group Policy to configure and enforce settings for Microsoft Office 2010 users.

The Group Policy Management Console (GPMC), Group Policy Object Editor, and Microsoft Office 2010 Administrative Templates are the Group Policy tools that enable you to manage Office 2010 settings for users.

You must have an Active Directory infrastructure set up on your network to complete the procedures in this article. If you are performing the steps for the first time, follow the sections sequentially.

The Group Policy Management Console (GPMC) and the Group Policy Object Editor are tools that you use to manage Group Policy. GPMC consists of a Microsoft Management Console (MMC) snap-in and a set of scriptable interfaces for managing Group Policy objects (but not Group Policy settings). The Group Policy Object Editor, also an MMC snap-in, is used to edit the individual settings that are contained within each Group Policy object (GPO).

The Administrative Templates contain the registry-based policy settings that you configure for Group Policy objects in the domain. They are contained in several individual .admx (ADMX), .adml (ADML, or .adm (ADM) files, depending on the version of Windows that you are running on your computer. ADML files are language-specific complements to ADMX files. Each ADMX and ADM file contains the policy settings for a single Office application. For example, outlk14.admx contains the policy settings for Outlook 2010, and Word14.admx contains the templates for Microsoft Word 2010.

ADMX files are XML-based administrative template files that were introduced in Windows Vista and Windows Server 2008. They replace ADM files, although you can decide to continue using ADM files, because ADMX and ADM files are stored in different locations. If you use both ADMX and ADM files, policy settings that you configure in the ADMX files override the equivalent policy settings in the ADM files. ADMX files are stored in a single location (whether locally to manage one computer, or in the central store, for all the computers in a domain) and they are configured for multiple GPOs. ADM files are stored in each GPO. This means that each GPO can contain the entire set of ADM files that are configured specifically for that GPO. Therefore, if you are considering using ADM files, think about the effect on central administration, storage, replication time, and network traffic delay compared to using ADMX files.

How you load the Administrative Templates depends on whether you want to use the ADMX or ADM versions.

If you use ADMX and ADML files on computers that run Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, you can store them in one of the following locations:

If you want to manage multiple computers in your domain, create the central store in the Sysvol folder on the primary domain controller. This provides a replicated central storage location for domain Administrative Templates.

When you use a central store, GPMC reads the single set of Administrative Template files that are stored there when you edit, model, or report on a GPO. GPMC reads these files from over the network. Therefore,, you should always connect the GPMC to the closest domain controller. The central store consists of the following:

A root-level folder, which contains all language-neutral ADMX files. For example, create the root folder for the central store on your domain controller at this location:

%systemroot%\sysvol\domain\policies\PolicyDefinitions

Subfolders, which contain the language-specific ADML resource files. Create a subfolder of %systemroot%\sysvol\domain\policies\PolicyDefinitions for each language that you will use. For example, create a subfolder for United States English at this location:

%systemroot%\sysvol\domain\policies\PolicyDefinitions\EN-US

For more information about how to store and use the Administrative Templates from a central store, see “Group Policy and Sysvol” in the Group Policy Planning and Deployment Guide (http://go.microsoft.com/fwlink/?LinkId=182208).

If you want to manage a single computer, store them in the PolicyDefinitions folder on the local computer. This enables you to edit the local GPO.

ADMX files are stored in this location: %systemroot%\PolicyDefinitions

ADML files are stored in this location: %systemroot%\PolicyDefinitions\<ll-cc>

where ll-cc represents the language identifier, such as en-us for English United States

Group Policy Object Editor automatically reads all ADMX files that are stored in the central store of the domain in which the GPO was created. If you have set up a central store, Group Policy ignores the local versions of the ADMX templates that are stored on the local computer.

When there is no central store, the Local Group Policy Editor reads the local versions of the ADMX files that are used by the local GPO.

ADM templates are stored in GPOs. If you want to use ADM templates, you must load the ADM templates into each GPO that you want to configure policy settings for.

To load the Office 2010 Administrative Templates (ADMfiles) to a GPO

Verify that you are a member of the Domain Admins group or have the necessary permissions for the GPO: Edit settings or Edit settings, delete, and modify.

For more information about permissions that are needed to manage Group Policy, see “Delegating administration of Group Policy” in the Group policy Planning and Deployment Guide (http://go.microsoft.com/fwlink/p/?LinkId=182208).

In Group Policy Object Editor, right-click Administrative Templates in the Computer Configuration or User Configuration node, and then select Add/Remove Templates. A list of the Administrative Template files that are already added to the GPO is displayed.

To add another Administrative Template file, click Add, and then browse to the location where you have saved the Office 2010 Administrative Template files.

Select the file that you want to add, and then click Open. Repeat this step for each Administrative Template file that you want to add.

When you are finished adding the files to the GPO, click Close. You can then edit the added policy settings in the GPO.

Group Policy settings are contained in GPOs, which are linked to selected Active Directory containers such as sites, domains, or organizational units (OUs) to enforce specific configurations. You can create several GPOs, each with a specific set of configurations. For example, you might want to create a GPO named “Office 2010” that contains only settings for Office 2010 applications, or one named “Outlook 2010” for only Microsoft Outlook 2010 configurations.

To create a GPO

Verify that you have the necessary permissions for the GPO:

By default, only members of the Domain Admins, Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can create new GPOs. For more information, see “Delegating creation of GPOs” in the Group Policy Planning and Deployment Guide (http://go.microsoft.com/fwlink/p/?LinkId=182208).

Open GPMC.

In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a GPO. For example, browse to Forest name, Domains, Domain name, Group Policy Objects.

Click New.

In the New GPO dialog box, specify a name for the new GPO, and then click OK.

When you link a GPO to a domain or other Active Directory container, you apply the policy setting configurations that you make in the GPO to all users or computers that are in the domain or Active Directory container.

To link a GPO

Verify that you have the necessary permissions:

If you want to link an existing GPO to a site, domain, or OU, you must have Link GPOs permission on that site, domain, or OU. By default, only Domain Administrators and Enterprise Administrators have these permissions for domains and OUs, and only Enterprise Administrators and Domain Administrators of the forest root domain have these permissions for sites.

If you want to both create and link a GPO, you must have Link GPOs permissions on the domain or OU to which you want to link, and you must have permission to create GPOs in that domain. By default, only Domain Administrators, Enterprise Administrators, and Group Policy Creator owners have permission to create GPOs.

If you want to link a GPO to a site, notice that the Create and Link a GPO Here option is not available for sites, because it is unclear in which domain to create the GPO. You must first create a GPO in any domain in the forest, and then use the Link an Existing GPO option to link the GPO to the site.

For more information about permissions that are needed to manage Group Policy, see “Delegating administration of Group Policy” in the Group policy Planning and Deployment Guide (http://go.microsoft.com/fwlink/p/?LinkId=182208).

Open GPMC.

In the console tree, locate the site, domain, or OU to which you want to link a GPO. These are located under Forest name, Domains or Sites, or Site name, Domain name, or organizational unit name.

To link an existing GPO, right-click the domain or organizational unit within the domain, and then click Link an Existing GPO. In the Select GPO dialog box, click the GPO that you want to link, and then click OK.

-or-

To link a new GPO, right-click the domain or OU in a domain, and then click Create and Link a GPO Here. In the Name box, type the name that you want to use for the new GPO, and then click OK.

When you edit a GPO, you configure policy settings that apply to the domain or Active Directory container that it is linked to.

To edit a GPO

Verify that you are a member of the Domain Admins group or have the necessary permissions for the GPO: either Edit settings or Edit settings, delete, and modify.

For more information about permissions that are needed to manage Group Policy, see “Delegating administration of Group Policy” in the Group policy Planning and Deployment Guide (http://go.microsoft.com/fwlink/p/?LinkId=182208).

Open GPMC.

In the console tree, double-click Group Policy Objects in the forest and domain that contain the GPO that you want to edit. This is located in Forest name, Domains, Domain name, Group Policy Objects.

Right-click the GPO that you want to modify, and then click Edit. This opens Group Policy Object Editor. Edit settings, as appropriate, in the Group Policy Object Editor console.

Important

The default domain policy and default domain controllers policy are important to the health of any domain. Do not edit the Default Domain Controller Policy or the Default Domain Policy GPOs, except in the following cases:

We recommend that you set account policy in the Default Domain Policy.

If you install applications on domain controllers that require modifications to User Rights or Audit Policies, the modifications must be made in the Default Domain Controllers Policy.

To edit the local GPO: open Group Policy Object Editor by clicking Start, then click Run, type gpedit.msc, and then click OK. To edit the local GPO on another computer, type the following at the command prompt: gpedit.msc /gpcomputer: <ComputerName>.